Website Usability Test Nova Act
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for browser-based usability testing, but it uses a Nova Act API key, drives real websites, and saves detailed screenshots/page content locally.
Install only if you are comfortable giving the skill access to a Nova Act API key and letting it automate a browser on chosen websites. Prefer test environments or disposable accounts, monitor high-impact workflows, and delete generated traces/reports if they contain sensitive information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on production sites or real accounts, the browser automation could fill forms, add items to carts, or navigate close to high-impact actions.
The skill can drive a browser through real workflows that may interact with live sites. This is central to usability testing and safety stops are disclosed, but users should choose targets carefully.
**Workflow Testing**: Tests complete user journeys (booking flights, checkout, posting) with safety guardrails
Run against test environments or disposable accounts where possible, and confirm the agent stops before payment, publishing, account creation, or other material actions.
Anyone with access to the config file or generated environment could potentially use the Nova Act API key.
The skill uses a local Nova Act API key. This credential access is expected for the Nova Act integration and is clearly disclosed.
**Reads:** `~/.openclaw/config/nova-act.json` (your API key)
Use a dedicated API key if possible, keep the config file private, and rotate the key if it is exposed.
Local trace files and reports may contain screenshots, page text, form contents, or other sensitive information from tested sites.
The skill persistently stores detailed browsing traces. This is useful for usability review, but it can capture sensitive page content or PII.
Trace files contain: Screenshots of every page visited; Full page content (HTML, text); Browser actions and AI decisions
Avoid testing pages with real personal data unless necessary, use non-production environments, and review/delete `nova_act_logs` and reports after use.
Dependency versions may change over time, and installation pulls code/browser components from external package sources.
The documented setup relies on user-directed, unpinned package and browser installs. This is normal for the skill’s browser automation purpose, but it introduces standard dependency provenance risk.
`pip3 install nova-act pydantic playwright` ... `playwright install chromium`
Install from trusted package indexes, consider pinning versions in your own environment, and avoid running optional privileged install commands unless you understand them.